Cloud attacks are following enterprise workloads

Enterprise workloads are shifting to Cloud and hosting environments in ever greater numbers and attacks that have historically targeted on-premises environments are following them, according to a new report.

But while attacks on cCloud environments have increased significantly in frequency and are becoming as diverse as those targeting on-premises datacentres, the data also reveals that the Cloud is not inherently less secure than traditional on-premises environments.

"Cloud deployments are no less secure than your own data centers," says Stephen Coty, chief security evangelist at Alert Logic, a provider of managed security services for on-premises data centers as well as hosting and cloud service providers. "That's what the numbers are really showing across the board."

Alert Logic this week released its Spring 2014 Cloud Security Report, the latest in a series of Cloud security reports it began releasing in early 2012.

The Spring 2014 report is based on a combination of real-world security incidents captured in customer environments secured via Alert Logic's intrusion detection system (IDS) and honeypot data gathered using low-interaction software to emulate a vulnerable OS. The report draws from 232,364 verified security incidents (validated by a team of Global Information Assurance Certification (GIAC)-certified security analysts) that were identified from more than one billion events observed between April 1 and September 30, 2013.

Alert Logic says the customer set includes 2,212 organisations across multiple industries, located primarily in North America and Western Europe. Of those customers, 80 per cent use Cloud hosting provider (CHP) environments, while 20 per cent represent on-premises datacentres.

Alert Logic found that with a single exception, attacks have increased across all incident types malware/botnet, brute force, vulnerability scan, Web app attack, recon and app attack in both on-premises and CHP environments.

In CHP environments, brute force attacks (exploit attempts enumerating a large number of combinations in hopes of finding a weakness) increased from 30 per cent of customers in the 2013 report to 44 per cent of customers in the current report. Vulnerability scans (automated vulnerability discovery in applications, services or protocol implementations) increased from 27 per cent to 44 per cent in the same period.

The sole exception to the increases was app attacks (exploit attempts against applications or services not running over HTTP) in on-premises environments, which were experienced by 19 per cent of on-premises customers in 2013 and 16 per cent in 2014. On the CHP side, app attacks increased from 3 per cent of customers to 4 per cent of customers over the same period.

Coty notes that while brute force attacks and vulnerability scans have historically been far more likely to target on-premises environments, the data show that they are now occurring at near-equivalent rates in both CHP and on-premises environments. Likewise, malware/botnet attacks, which are the most prevalent form of incident for on-premises datacentres (affecting 56 per cent of customers), are on the rise in CHP environments; they now affect 11 per cent of customers.

Still, the most prevalent types of incident do vary between on-premises environments and CHP environments. The top three incident classes for on-premises datacentres were malware/botnet (affecting 56 per cent of customers), brute force (49 percent of customers) and vulnerability scans (40 per cent of customers). For CHPs, the most common incidents were brute force (44 per cent), vulnerability scans (44 per cent) andWeb application attacks (44 per cent).

"Our intelligence suggests that the observed increase in cloud attacks is correlated to the growth of cloud adoption in the enterprise," Coty says. "As more enterprise workloads have moved into the cloud and hosted infrastructures, some traditional on-premises threats have followed them. This reinforces the necessity for enterprise-grade security solutions specifically designed to protect Cloud environments."

"The number one thing you need to really understand in a Cloud environment is that security in the Cloud is a shared responsibility," Coty says. "The service provider is responsible for the foundation. They're even responsible for some level of perimeter security, hardening the hypervisor, giving you root access to your instance. But other than that, you as a consumer are 100 per cent responsible for what happens in that environment. The better you understand the shared model between you and your service provider, the better you'll be able to secure your environment. That really applies to all service providers."

Alert Logic's Cloud honeypots also told an interesting story. The company deployed its honeypots in public cloud infrastructures around the world in an effort to observe the types and frequencies of attacks, as well as how they vary geographically. Alert Logic found that honeypots in European Clouds experienced the highest number of attacks four times more than honeypots in US Clouds and twice as many as honeypots in Asian clouds.

The incident attack types against European honeypots were tremendously varied. They included: MS-SQL Server (13 per cent), MySQL (13 per cent), HTTP (13 per cent), RPC (13 per cent), FTP (13 per cent) and MS-DS (35 per cent).

"The attacks in Europe were probably more diverse than anywhere else in the world," Coty says. "Outside of attacks on Microsoft Directory Services, everything was about 13 per cent across the board."

Coty attributes the number and variety of attacks in Europe to Eastern European malware "factories," primarily in Russia, testing their efforts locally before deploying worldwide.

"The Eastern European guys who write a lot of this code test it in their own backyard," Coty says. "It originates from Europe. Once they've successfully deployed one place in Europe, they just go all over the globe now."

In Asia, the story is different. Attacks on MS-DS represent 85 percent of incidents there, particularly attacks on port 445. Coty attributes this to the plethora of pirated (and unpatched) Microsoft software in China and some other Asian countries. Port 445 supports direct hosted "NetBIOS-less" SMB traffic and file-sharing in Windows environments and, if not locked down appropriately, it is an easy target for accessing files and infecting systems.

Alert Logic also notes that 14 percent of the malware collected through its honeypot network was not detectable by 51 percent of the world's top antivirus vendors. That's not because it was zero-day malware, Coty notes. Instead, much of the malware that was missed was repackaged variants of older malware like Zeus and Conficker.

"The threat diversity for the Cloud has increased to rival that of on-premises environments," Alert Logic says in the report. "And new threats uncovered by our honeypot research demonstrate how top antivirus software vendors cannot be solely relied upon to detect attacks. The continued focus by hackers on infiltrating IT infrastructure underscores the importance of adopting the right security procedures and tools, and of continuously evaluating and adjusting those procedures and tools as attackers find new ways to thwart defense."

Coty says that much as with on-premises datacentres, security in depth is the key. He says a Cloud security solution should address:

Network: Firewall, intrusion detection and vulnerability scanning to provide detection and protection, while also lending visibility into security health.

Compute: Antivirus, log management and file integrity management to protect against known attacks, provide compliance and security visibility into activity within an environment and to help you understand when files have been altered (maliciously or accidentally).

Application: A Web application firewall to protect against the largest threat vector in the cloud: web application attacks. Encryption technologies should be ubiquitous for data in-flight protection, and some companies select encryption for data-at-rest when necessary, assuming applications can support it.

Application Stack: Security Information Event Management (SIEM) can address the big data security challenge by collecting and analysing all data sets. When deployed with the right correlation and analytics, this can deliver real-time insights into events, incidents and threats across a cloud environment.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.